b'               UNITED STATES GOVERNMENT ACCOUNTABILITY OFFICE\n\n\n\n\n     G                    Office of Inspector General\n\n     May 2009\n                          Semiannual\n                          Report\n                          October 1, 2008 \xe2\x80\x94\n                          March 31, 2009\n\n\n\n\nGAO/OIG-09-5\n\x0c                                                         Office of the Inspector General\n                                         United States Government Accountability Office\n\n\n\n\nMemorandum\nDate:       May 8, 2009\n\nTo:         Acting Comptroller General \xe2\x80\x93 Gene L. Dodaro\n\n\nFrom:       Inspector General \xe2\x80\x93 Frances Garcia\n\nSubject:    Semiannual Report \xe2\x80\x93 October 1, 2008, through March 31, 2009\n\nIn accordance with Section 5 of the Government Accountability Office Act of 2008\n(GAO Act), I am submitting my semiannual report for the first half of fiscal year 2009\nfor your comments and its transmission to the Congress.\n\nDuring this period, the Office of the Inspector General (OIG) undertook a number of\nactions to implement requirements in the GAO Act and selected provisions in the\nInspector General Reform Act of 2008. These actions included drafting a new GAO\norder and policies and procedures, to emphasize the statutory role and\nresponsibilities of the OIG; establishing a page on GAO\xe2\x80\x99s Web site to make the OIG\xe2\x80\x99s\nproducts readily available to the Congress and the public; hiring an attorney to\nprovide independent legal advice and counsel; and actively participating in the newly\nestablished Council of Inspectors General on Integrity and Efficiency.\n\nIn addition, we issued one report with recommendations\xe2\x80\x94our fiscal year 2008\nevaluation of GAO\xe2\x80\x99s voluntary compliance with the information security program and\npractices required by the Federal Information Security Management Act of 2002. (See\nattachment for a summary of this report and GAO actions to address its\nrecommendations.) Further, we monitored the agency\xe2\x80\x99s efforts to assess and report\non internal controls consistent with guidance provided by the Office of Management\nand Budget in its Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal\nControl, and initiated an audit risk assessment of GAO to aid in our development of\nrisk-based audit work plans. Our ongoing work included reviews of GAO\nperformance measures for three areas\xe2\x80\x94human capital management, product\ntimeliness, and GAO testimonies.\n\nRegarding our efforts to identify potential fraud, waste, or abuse within GAO, we\nreceived 28 inquiries and allegations this reporting period through our hotline and\nother sources. Twelve concerned matters related to other federal agencies, so they\nwere closed with a referral to GAO\xe2\x80\x99s FraudNet\xe2\x80\x94a mechanism that anyone may use to\nreport allegations of fraud, waste, abuse, or mismanagement of federal funds\xe2\x80\x94or the\nappropriate agency Office of Inspector General. Four were closed due to insufficient\nfactual information that would warrant further investigation; three others were\nclosed with a referral to the appropriate GAO office because they involved personnel\n                                                          GAO/OIG-09-5 Semiannual Report\n\x0cand security matters. Regarding the other nine cases, we completed action on four,\nincluding one where an employee resigned as a result of the investigation. At the end\nof the reporting period, five cases remained open.\n\nFinally, in response to recommendations made in a prior report, Diversity at GAO:\nSustained Attention Needed to Build on Gains in SES and Managers (GAO-08-1098,\nSept. 10, 2008), GAO has incorporated diversity goals in Senior Executive Service\nperformance appraisals and established procedures to better ensure the\ncompleteness and accuracy of its publicly reported discrimination data. In addition,\nthe agency has drafted an order to establish a requirement for an annual Workforce\nDiversity Plan and to revise its discrimination complaint process to clarify\nresponsibilities and procedures when a complaint involves staff within GAO\xe2\x80\x99s Office\nof Opportunity and Inclusiveness. GAO expects the revised order to be published for\nagencywide comment soon and made final shortly thereafter. In addition, the agency\nhas implemented and strengthened internal controls for tracking, reviewing, and\nreporting complaint data.\n\nAttachment\n\ncc: Ms. Harper, Chief Administrative Officer\n    Mr. Gordon, Acting General Counsel\n\n\n\n\nPage 2                                                   GAO/OIG-09-5 Semiannual Report\n\x0cAttachment\n\n                   Summary of OIG Reports and GAO Actions\n\n\nReports Issued October 1, 2008 - March 31, 2009\n\nIndependent Evaluation of GAO\xe2\x80\x99s Information Security Program and Practices\xe2\x80\x94\nFiscal Year 2008, GAO/OIG-09-1 (Oct. 2, 2008).\n\nFindings:\n\nIn this report, the OIG concludes that GAO has generally established an information\nsecurity program consistent with the requirements of the Federal Information\nSecurity Management Act of 2002 (FISMA) and guidance issued by the Office of\nManagement and Budget and the National Institute of Standards and Technology, but\nthat GAO has not fully implemented several information security and privacy-related\nrequirements.\n\nRecommendations and GAO Actions:\n\nThe report includes six recommendations to improve GAO\xe2\x80\x99s information security\npractices and its Privacy Program. GAO management concurred with each of the\nrecommendations and in response has conducted an assessment of the agency\xe2\x80\x99s\nsystems and applications to update its systems inventory, established a process for\nincorporating specific security language as appropriate in information technology\nacquisitions, begun identifying additional content for its information security\nawareness training, and continued negotiations with other agency service providers\nto help GAO better monitor the remediation of security weaknesses identified for\nproviders\xe2\x80\x99 systems. In addition, GAO has drafted privacy policy, developed a Privacy\nImpact Assessment process and template, and plans to conduct assessments during\nfiscal year 2009 for 20 major systems that contain personally identifiable information.\n(998268)\n\n\n\n\n(998279)\n\n\n\nPage 3                                                    GAO/OIG-09-5 Semiannual Report\n\x0c'